-
漏洞信息

-
漏洞描述

The 'SuSEconfig.gnome-filesystem' script for YaST on SuSE Linux contains a flaw that may allow a malicious local user to manipulate arbitrary files on the system. The issue is due to the script creating temporary files insecurely in the 'tmp.SuSEconfig.gnome-filesystem.$RANDOM' temporary directory. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.

-
时间线

公开日期:
2004-01-12

发现日期:
Unknow

利用日期:Unknow

解决日期:Unknow

-
解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: a potential workaround would be to edit the SuSEconfig.gnome-filesystem script to change the TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM to something like TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$$, making the PID based number more difficult to predict.

-
漏洞信息

漏洞作者:
Discovery of this vulnerability has been credited to l0om <l0om@excluded.org>.

-
受影响的程序版本

S.u.S.E. SuSEconfig.gnome-filesystem
+
S.u.S.E. Linux Personal 9.0

-
漏洞讨论

SuSEconfig.gnome-filesystem has been reported prone to an insecure file creation vulnerability that may be exploited to corrupt arbitrary files. The issue has been reported to present itself because the SuSEconfig.gnome-filesystem script will follow symbolic links when writing certain specific files.

SuSE Linux 9.0 has been reported to be prone to this issue, however, other versions could be affected as well.